Changes to any of the settings in the following table take effect immediately. You do not need to restart Horizon 7 Connection Server or Horizon Client.

Table 1. General Global Settings for Client Sessions

Setting

Description

View Administrator session timeout

Determines how long an idle Horizon Administrator session continues before the session times out.

Important:

Setting the Horizon Administrator session timeout to a high number of minutes increases the risk of unauthorized use of Horizon Administrator. Use caution when you allow an idle session to persist a long time.

By default, the Horizon Administrator session timeout is 30 minutes. You can set a session timeout from 1 to 4320 minutes (72 hours).

Forcibly disconnect users

Disconnects all desktops and applications after the specified number of minutes has passed since the user logged in to Horizon 7. All desktops and applications will be disconnected at the same time regardless of when the user opened them.

For clients that do not support application remoting, a maximum timeout value of 1200 minutes applies if the value of this setting is Never or greater than 1200 minutes.

The default is After 600 minutes.

Single sign-on (SSO)

If SSO is enabled, Horizon 7 caches a user's credentials so that the user can launch remote desktops or applications without having to provide credentials to log in to the remote Windows session. The default is Enabled.

If you plan to use the True SSO feature, introduced in Horizon 7 or later, SSO must be enabled. With True SSO, if a user logs in using some other form of authentication than Active Directory credentials, the True SSO feature generates short-term certificates to use, rather than cached credentials, after users log in to VMware Identity Manager.

Note:

If a desktop is launched from Horizon Client, and the desktop is locked, either by the user or by Windows based on a security policy, and if the desktop is running Horizon 7 Agent 6.0 or later or Horizon Agent 7.0 or later, Horizon 7 Connection Server discards the user's SSO credentials. The user must provide login credentials to launch a new desktop or a new application, or reconnect to any disconnected desktop or application. To enable SSO again, the user must disconnect from Horizon 7 Connection Server or exit Horizon Client, and reconnect to Horizon 7 Connection Server. However, if the desktop is launched from Workspace ONE or VMware Identity Manager and the desktop is locked, SSO credentials are not discarded.

For clients that support applications.

If the user stops using the keyboard and mouse, disconnect their applications and discard SSO credentials:

Protects application sessions when there is no keyboard or mouse activity on the client device. If set to After ... minutes, Horizon 7 disconnects all applications and discards SSO credentials after the specified number of minutes without user activity. Desktop sessions are not disconnected. Users must log in again to reconnect to the applications that were disconnected or launch a new desktop or application.

This setting also applies to the True SSO feature. After SSO credentials are discarded, users are prompted for Active Directory credentials. If users logged in to VMware Identity Manager without using AD credentials and do not know what AD credentials to enter, users can log out and log in to VMware Identity Manager again to access their remote desktops and applications.

Important:

Users must be aware that when they have both applications and desktops open, and their applications are disconnected because of this timeout, their desktops remain connected. Users must not rely on this timeout to protect their desktops.

If set to Never, Horizon 7 never disconnects applications or discards SSO credentials due to user inactivity.

The default is Never.

Other clients.

Discard SSO credentials:

Discards SSO credentials after the specified number of minutes. This setting is for clients that do not support application remoting. If set to After ... minutes, users must log in again to connect to a desktop after the specified number of minutes has passed since the user logged in to Horizon 7, regardless of any user activity on the client device.

If set to Never, Horizon 7 stores SSO credentials until the user closes Horizon Client, or the Forcibly disconnect users timeout is reached, whichever comes first.

The default is After 15 minutes.

Enable automatic status updates

Determines if status updates appear in the global status pane in the upper-left corner of Horizon Administrator every few minutes. The dashboard page of Horizon Administrator is also updated every few minutes.

By default, this setting is not enabled.

Display a pre-login message

Displays a disclaimer or another message to Horizon Client users when they log in.

Type your information or instructions in the text box in the Global Settings dialog box.

To display no message, leave the check box unselected.

Display warning before forced logoff

Displays a warning message when users are forced to log off because a scheduled or immediate update such as a desktop-refresh operation is about to start. This setting also determines how long to wait after the warning is shown before the user is logged off.

Check the box to display a warning message.

Type the number of minutes to wait after the warning is displayed and before logging off the user. The default is 5 minutes.

Type your warning message. You can use the default message:

Your desktop is scheduled for an important update and
will be shut down in 5 minutes. Please save any unsaved work now.

Enable Windows Server desktops

Determines whether you can select available Windows Server 2008 R2 and Windows Server 2012 R2 machines for use as desktops. When this setting is enabled, Horizon Administrator displays all available Windows Server machines, including machines on which Horizon 7 server components are installed.

Note:

The Horizon Agent software cannot coexist on the same virtual or physical machine with any other Horizon 7 server software component, including a security server, Horizon 7 Connection Server, or Horizon 7 Composer.

Clean up credential when tab closed for HTML Access

Removes a user's credentials from cache when a user closes a tab that connects to a remote desktop or application, or closes a tab that connects to the desktop and application selection page, in the HTML Access client.

When this setting is enabled, Horizon 7 also removes the credentials from cache in the following HTML Access client scenarios:

A user refreshes the desktop and application selection page or the remote session page.

The server presents a self-signed certificate, a user launches a remote desktop or application, and the user accepts the certificate when the security warning appears.

A user runs a URI command in the tab that contains the remote session.

When this setting is disabled, the credentials remain in cache. This feature is disabled by default.

Note:

This feature is available in Horizon 7 version 7.0.2 and later.

Mirage Server configuration

Allows you to specify the URL of a Mirage server, using the format mirage://server-name:port or mirages://server-name:port. Here server-name is the fully qualified domain name. If you do not specify the port number, the default port number 8000 is used.

Note:

You can override this global setting by specifying a Mirage server in the desktop pool settings.

Specifying the Mirage server in Horizon Administrator is an alternative to specifying the Mirage server when installing the Mirage client. To find out which versions of Mirage support having the server specified in Horizon Administrator, see the Mirage documentation, at https://www.vmware.com/support/pubs/mirage_pubs.html.

Enable this security setting to hide the Domain drop-down menu in Horizon Client 4.4 or later.

When users log in to a Connection Server instance for which the Hide domain list in client user interface global setting is enabled, the Domain drop-down menu is hidden in Horizon Client and users provide domain information in the Horizon Client User name text box. For example, users must enter their user name in the format domain\username or username@domain.

Important:

If you enable the Hide server information in client user interface and Hide domain list in client user interface settings and select two-factor authentication (RSA SecureID or RADIUS) for the Connection Server instance, do not enforce Windows user name matching. Enforcing Windows user name matching prevents users from entering domain information in the user name text box and login always fails. For more information, see the topics about two-factor authentication in the Horizon 7 Administration document.